Experts have cautioned that hackers are delivering Remote Access Trojans (RAT) to gullible victims through a novel phishing technique.
This is the opinion of cybersecurity experts Perception Point, who recently published information about a campaign they named Operation PhantomBlu that made use of the Object Linking and Embedding (OLE) technique.
This Windows feature enables users to link and embed documents inside other documents, creating compound files that contain components from various applications.
New Phishing Methods
The typical phishing email that purports to be from the victim’s company’s accounting department opens the campaign. Since Brevo, a reputable marketing platform, is sending emails, there has likely been some sort of compromise on the platform.
An attachment to the email is a Word document titled “Monthly Salary Report.” When a victim downloads the file, they are prompted to enter a password before double-clicking an embedded printer icon.
The victim launches a PowerShell dropper that launches the NetSupport RAT from a remote server, by executing a ZIP archive file containing a Windows shortcut file.
“By using encrypted docs to deliver the NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments,” Ariel Davidpur said, the report’s author, adding the updated technique “showcases PhantomBlu’s innovation in blending sophisticated evasion tactics with social engineering,” Techradar reported.
A repurposed version of the legal remote control programme NetSupport Manager, which was first made available in 1989, is called NetSupport RAT. NetSupport RAT was one of the most widely used remote access trojans for many years, giving attackers unrestricted access to compromised devices. After they have access, they can use it to spread ransomware and other extremely harmful malware, such as infostealers.
Being cautious when opening emails and only downloading attachments from reputable sources are the best defences against these attacks.
Trojans Getting Deployed Via AWS And GitHub
Another phishing campaign has been identified by Fortinet FortiGuard Labs researcher Yurren Wan, where threat actors are delivering remote access trojans (RAT) such as VCURMS and STRRAT by means of a malicious Java-based downloader.
“The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware,” stated Wan, while interacting with The Hacker News.
“An unusual aspect of the campaign is VCURMS’ use of a Proton Mail email address (“sacriliage@proton[.]me”) for communicating with a command-and-control (C2) server,” the expert noted further.
As per Wan, the attack chain starts with a phishing email that urges recipients to click on a button to verify payment information, resulting in the download of a malicious JAR file (“Payment-Advice.jar”) hosted on AWS. Executing the JAR file (package file format typically used to aggregate many Java class files and associated metadata and resources into one file for distribution) then leads to the retrieval of two more JAR files, which are then run separately to launch the twin trojans.
“Besides sending an email with the message “Hey master, I am online” to the threat actor-controlled address, VCURMS RAT periodically checks the mailbox for emails with specific subject lines to extract the command to be executed from the body of the missive. This includes running arbitrary commands using cmd.exe, gathering system information, searching and uploading files of interest, and downloading additional information stealer and keylogger modules from the same AWS endpoint,” Wan stated further.
The information stealer comes fitted with capabilities to siphon sensitive data from apps like Discord and Steam, credentials, cookies, and auto-fill data from various web browsers, screenshots, and extensive hardware and network information about the compromised hosts.
VCURMS also shares similarities with another Java-based infostealer codenamed Rude Stealer, which emerged in the wild in late 2024.
Noting that STRRAT has been detected since 2020, often propagated in the form of fraudulent JAR files, Wan observed further, “STRRAT is a RAT built using Java, which has a wide range of capabilities, such as serving as a keylogger and extracting credentials from browsers and applications.”